Linux and IoT malware analysis with r2ai
Axelle Apvrille
NorthSec 2025 · Day 1 · Salle de bal
Axelle Apvrille demonstrates how r2ai — a plugin connecting the Radare2 disassembler to large language models — can dramatically accelerate Linux and IoT malware analysis. Using live demos against a real Linux shellcode from March 2025 and a recent variant of the Ladvix/Rhomba/Ebola malware family, she shows both the direct and automatic modes of r2ai, documents where the AI produces accurate output, and teaches analysts where and how to catch the errors it reliably introduces. The verdict: AI-assisted reverse engineering is genuinely useful, but the analyst must remain in control. ---
AI review
Fortinet/FortiGuard Labs researcher Axelle Apvrille demonstrates AI-assisted malware reverse engineering using r2ai (Radare2 + LLM) against real samples: a March 2025 Linux shellcode (Shellcode ConnectBack) and a recent Ladvix/Rhomba/Ebola IoT malware variant. The talk documents both the genuine productivity gains (compressed time-to-understanding for unfamiliar binaries) and three failure modes analysts must validate against: factual errors (wrong IP/port), dangerous omissions (missing critical execution lines), and hallucinations (fabricated function calls).